forked from extern/shorewall_code
Drop hard requirement for CONNTRACK_MATCH
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5735 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ba2dcd6d45
commit
50195b17ce
@ -738,7 +738,6 @@ sub do_test ( $$ )
|
||||
"${invert}$match $testval ";
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Create a "-m limit" match for the passed LIMIT/BURST
|
||||
#
|
||||
@ -882,6 +881,7 @@ sub match_orig_dest ( $ ) {
|
||||
my $net = $_[0];
|
||||
|
||||
return '' if $net eq ALLIPv4;
|
||||
return '' unless $capabilities{CONNTRACK_MATCH};
|
||||
|
||||
if ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
@ -1207,7 +1207,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
}
|
||||
|
||||
if ( $origdest ) {
|
||||
if ( $origdest eq '-' ) {
|
||||
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
|
||||
$origdest = '';
|
||||
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
||||
#
|
||||
|
@ -28,7 +28,19 @@ use warnings;
|
||||
use Shorewall::Common;
|
||||
|
||||
our @ISA = qw(Exporter);
|
||||
our @EXPORT = qw(find_file expand_shell_variables get_configuration report_capabilities propagateconfig append_file run_user_exit generate_aux_config %config %env %capabilities );
|
||||
our @EXPORT = qw(find_file
|
||||
expand_shell_variables
|
||||
get_configuration
|
||||
require_capability
|
||||
report_capabilities
|
||||
propagateconfig
|
||||
append_file
|
||||
run_user_exit
|
||||
generate_aux_config
|
||||
|
||||
%config
|
||||
%env
|
||||
%capabilities );
|
||||
our @EXPORT_OK = ();
|
||||
our @VERSION = 1.00;
|
||||
|
||||
@ -251,6 +263,13 @@ sub report_capabilities() {
|
||||
}
|
||||
}
|
||||
|
||||
sub require_capability( $$ ) {
|
||||
my ( $capability, $description ) = @_;
|
||||
|
||||
fatal_error "$description requires $capdesc{$capability} in your kernel and iptables"
|
||||
unless $capabilities{$capability};
|
||||
}
|
||||
|
||||
#
|
||||
# Some files can have shell variables embedded. This function expands them from %ENV.
|
||||
#
|
||||
|
@ -988,7 +988,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
|
||||
if ( $origdest && $origdest ne '-' ) {
|
||||
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
|
||||
} elsif ( $origdest ne 'detect' ) {
|
||||
if ( $config{DETECT_DNAT_IPADDRS} ) {
|
||||
my $interfacesref = $zones{$sourcezone}{interfaces};
|
||||
my @interfaces = keys %$interfacesref;
|
||||
|
@ -179,7 +179,7 @@ sub compile_stop_firewall() {
|
||||
|
||||
emit <<'EOF';
|
||||
#
|
||||
# Stop/restore the firewall after an error or because of a \'stop\' or \'clear\' command
|
||||
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
||||
#
|
||||
stop_firewall() {
|
||||
|
||||
@ -544,6 +544,7 @@ sub generate_script_2 () {
|
||||
# Generate the end of 'setup_routing_and_traffic_shaping()':
|
||||
# Generate code for loading the various files in /var/lib/shorewall[-lite]
|
||||
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
|
||||
#
|
||||
# Generate the 'setup_netfilter()' function that runs iptables-restore.
|
||||
# Generate the 'define_firewall()' function.
|
||||
#
|
||||
@ -575,7 +576,9 @@ sub generate_script_3() {
|
||||
emit "#\n# Start/Restart the Firewall\n#";
|
||||
emit 'define_firewall() {';
|
||||
push_indent;
|
||||
emit 'setup_routing_and_traffic_shaping;
|
||||
|
||||
emit<<'EOF';
|
||||
setup_routing_and_traffic_shaping;
|
||||
|
||||
if [ $COMMAND = restore ]; then
|
||||
iptables_save_file=${VARDIR}/$(basename $0)-iptables
|
||||
@ -611,7 +614,8 @@ case $COMMAND in
|
||||
restore)
|
||||
logger -p kern.info "$PRODUCT restored"
|
||||
;;
|
||||
esac';
|
||||
esac
|
||||
EOF
|
||||
|
||||
pop_indent;
|
||||
|
||||
@ -632,21 +636,11 @@ sub compiler( $ ) {
|
||||
|
||||
report_capabilities if $ENV{VERBOSE} > 1;
|
||||
|
||||
fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Conntrack Match Support' )
|
||||
unless $capabilities{CONNTRACK_MATCH};
|
||||
fatal_error join ( '', 'Shorewall-perl ', $env{VERSION}, ' requires Multi-port Match Support' )
|
||||
unless $capabilities{MULTIPORT};
|
||||
fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Address Type Match Support' )
|
||||
unless $capabilities{ADDRTYPE};
|
||||
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
|
||||
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
|
||||
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
|
||||
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
|
||||
fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support'
|
||||
if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK};
|
||||
if ( $config{MANGLE_ENABLED} ) {
|
||||
fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
|
||||
}
|
||||
require_capability( 'MULTIPORT' , "Shorewall-perl $env{VERSION}" );
|
||||
require_capability( 'ADDRTYPE' , "Shorewall-perl $env{VERSION}" );
|
||||
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL};
|
||||
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS};
|
||||
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' ) if $config{TC_ENABLED};
|
||||
|
||||
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
||||
|
||||
|
@ -47,7 +47,6 @@ a) The Perl-based compiler requires the following capabilities in your
|
||||
kernel and iptables.
|
||||
|
||||
- addrtype match (may be relaxed later)
|
||||
- conntrack match (may be relaxed later)
|
||||
- multiport match (will not be relaxed)
|
||||
|
||||
These capabilities are in current distributions.
|
||||
|
Loading…
Reference in New Issue
Block a user